cdk-eks-blueprints icon indicating copy to clipboard operation
cdk-eks-blueprints copied to clipboard
verified publisher icon aws-quickstart

Issue with cdk blueprint version 1.4 when upgrading EKS version v1.21 to v1.23

Open vumdao opened this issue 3 years ago • 4 comments

Describe the bug

image

Lambda log:

2022-11-04T16:23:17.763Z	f84f8eb0-31d1-4010-910b-935142fb2d11	INFO	onUpdate: {
    "updates": {
        "replaceName": false,
        "replaceVpc": false,
        "updateAccess": false,
        "replaceRole": false,
        "updateVersion": true,
        "updateEncryption": true,
        "updateLogging": false
    }
}

2022-11-04T16:23:17.764Z	f84f8eb0-31d1-4010-910b-935142fb2d11	ERROR	Invoke Error 	{
    "errorType": "Error",
    "errorMessage": "Cannot update cluster encryption configuration",
    "stack": [
        "Error: Cannot update cluster encryption configuration",
        "    at ClusterResourceHandler.onUpdate (/var/task/cluster.js:1:2102)",
        "    at ClusterResourceHandler.onEvent (/var/task/common.js:1:680)",
        "    at Runtime.onEvent [as handler] (/var/task/index.js:1:1434)",
        "    at Runtime.handleOnceNonStreaming (/var/runtime/Runtime.js:73:25)"
    ]
}

Expected Behavior

Upgrade successfully

Current Behavior

Failed

Reproduction Steps

Run cdk deploy

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.50.0

EKS Blueprints Version

1.4.0

Node.js Version

v18.9.1

Environment details (OS name and version, etc.)

macOS 13.0

Other information

No response

vumdao avatar Nov 05 '22 03:11 vumdao

I've ran into the exact same error while simply updating @aws-quickstart/eks-blueprints from 1.3.0 to 1.4.0

hit0ri avatar Nov 07 '22 14:11 hit0ri

This looks like a regression from this change https://github.com/aws-quickstart/cdk-eks-blueprints/pull/516. We are hitting the same error after upgrading from 1.3.0 -> 1.4.0.

Received response status [FAILED] from custom resource. Message returned: Cannot update cluster encryption configuratios

According to this https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1234, I think a cluster created previously than 1.4.0 will have issues. cc @pflorek

Mr-istov avatar Nov 08 '22 14:11 Mr-istov

same issue hear.

iktakahiro avatar Dec 07 '22 07:12 iktakahiro

Removing the cluster encryption key now will cause the same issue for clusters that were provisioned after 1.4.x. I can add an explicit option to leave cluster unencrypted if that works. The upgrade path will be to set the option for existing blueprints.

shapirov103 avatar Dec 07 '22 15:12 shapirov103

Is there a workaround for this? I'd like to upgrade from 1.3.0 to 1.5.2, but I'm getting this error. I'd rather not create a new cluster in production.

jdwil avatar Dec 31 '22 23:12 jdwil

I think I got past this okay, but it's a bad hack. I sub-classed GenericClusterProvider, copied the createCluster code into an overridden method, and hard-coded the secretsEncryptionKey to undefined.

@shapirov103 I'll switch to your upgrade path when it's done. If you want me to take a stab at it, I'm happy to do so, but you might point me to the spot where you think this option should be set. I've not yet contributed to this project, so I'm not intimately familiar with all the code.

jdwil avatar Jan 01 '23 21:01 jdwil

Example of creating unencrypted cluster:

    const stack = blueprints.EksBlueprint.builder()
      .account("123456789012")
      .region("us-east-1")
      .useDefaultSecretEncryption(false)
      .build(app, "east-test-1");

shapirov103 avatar Jan 12 '23 15:01 shapirov103